CVE-2025-43973 – A buffer boundary error in GoBGP's RTR message ... (How to Fix)

Q: What is the severity of CVE-2025-43973?

CVE-2025-43973 has a CVSS score of 6.8 (MEDIUM). A buffer boundary error in GoBGP's RTR message processing allows attackers to cause denial of service or potentially execute arbitrary code by sending specially crafted RTR packets. This affects all GoBGP deployments using RTR protocol functionality before version 3.35.0. Network operators using GoBGP for BGP routing with RTR integration are primarily affected.

📋 TL;DR

A buffer boundary error in GoBGP's RTR message processing allows attackers to cause denial of service or potentially execute arbitrary code by sending specially crafted RTR packets. This affects all GoBGP deployments using RTR protocol functionality before version 3.35.0. Network operators using GoBGP for BGP routing with RTR integration are primarily affected.

💻 Affected Systems

Products:

GoBGP

Versions: All versions before 3.35.0

Operating Systems: All platforms running GoBGP

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when RTR protocol is enabled and accessible

📦 What is this software?

Gobgp by Osrg

View all CVEs affecting Gobgp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise and routing table manipulation

🟠

Likely Case

Denial of service causing GoBGP process crashes and network routing instability

🟢

If Mitigated

Limited impact with proper network segmentation and input validation

🌐 Internet-Facing: MEDIUM - Requires RTR protocol exposure to untrusted networks

🏢 Internal Only: LOW - Typically RTR is used in controlled BGP environments

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to RTR port (typically TCP 323)

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.35.0

Vendor Advisory: https://github.com/osrg/gobgp/commit/5693c58a4815cc6327b8d3b6980f0e5aced28abe

Restart Required: Yes

Instructions:

1. Stop GoBGP service. 2. Update to GoBGP 3.35.0 or later using package manager or source compilation. 3. Restart GoBGP service. 4. Verify version with 'gobgp version'

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to RTR port (TCP 323) to trusted sources only

iptables -A INPUT -p tcp --dport 323 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 323 -j DROP

Disable RTR Protocol

all

Disable RTR functionality if not required

Edit GoBGP config to remove RTR sections or set 'enabled: false'

🧯 If You Can't Patch

Implement strict network segmentation to isolate GoBGP RTR interface
Deploy network-based intrusion detection to monitor for RTR protocol anomalies

🔍 How to Verify

Check if Vulnerable:

Check GoBGP version with 'gobgp version' and verify it's below 3.35.0

Check Version:

gobgp version

Verify Fix Applied:

Confirm version is 3.35.0 or higher with 'gobgp version' and test RTR connectivity

📡 Detection & Monitoring

Log Indicators:

GoBGP process crashes
RTR connection errors
Memory access violation logs

Network Indicators:

Unusual RTR protocol traffic patterns
Multiple connection attempts to port 323

SIEM Query:

source="gobgp.log" AND ("panic" OR "segmentation fault" OR "rtr error")

📊 Metadata

CVE ID: CVE-2025-43973

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-193

EPSS Score: 0.03% exploit probability (8.1th percentile)

Published: April 21, 2025

Last Updated: May 8, 2025

🔗 References

https://github.com/osrg/gobgp/commit/5693c58a4815cc6327b8d3b6980f0e5aced28abe Patch
https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0 Patch,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43973, you might also want to check these: